Voyager18 (research)

How to fix CVE-2023-20238 in Cisco's BroadWorks platform

Cisco has patched the critical authentication bypass flaw, CVE-2023-20238, in BroadWorks platforms. Here are the details:

Yair Divinsky | September 11, 2023

Cisco has announced patches for CVE-2023-20238, a critical-severity authentication bypass vulnerability in the BroadWorks Application Delivery Platform and BroadWorks Xtended Services Platform.

Here’s what you need to know:

What is CVE-2023-20238?

The vulnerability affecting the BroadWorks calling and collaboration platform, specifically within its single sign-on (SSO) implementation, has the potential to be exploited by a remote unauthenticated attacker, enabling them to counterfeit credentials and gain unauthorized access to systems that are impacted. 

CVE-2023-20238 is rooted in the manner in which SSO tokens are authenticated. An attacker could leverage forged credentials to gain entry to the application, and if successful, they would have the capability to engage in activities such as toll fraud or execute commands at the privilege level associated with the falsified account. Even though Cisco notes that to successfully exploit the flaw the attacker would need a valid user ID associated with the affected BroadWorks system, the vulnerability has a CVSS score of 10.0. 

The issue exists because certain RADIUS accounting requests are not handled properly. An attacker sending crafted requests to a network access device that uses Cisco ISE directly could cause the RADIUS process to restart, denying user access to the network or service. 

Successful exploitation of the issue could allow a remote, unauthenticated threat actor to forge the credentials required to access an affected system, a result of the method used to validate SSO tokens. By authenticating to the application with forged credentials, an attacker could successfully commit toll fraud or even execute commands at the privilege level of the forged account. If that account is an Administrator account, the attacker would have the ability to view confidential information, modify customer settings, or modify settings for other users.  

Does CVE-2023-20238 affect me?  

The vulnerability impacts Cisco ISE versions 3.1 and 3.2 only and was addressed with the release of Cisco ISE versions 3.1P7 and 3.2P3. 

Cisco has also reported that the identified issue affects certain versions of BroadWorks, including those running AuthenticationService, BWCallCenter, BWReceptionist, CustomMediaFilesRetrieval, ModeratorClientApp. PublicECLQuery, PublicReporting, UCAPI, Xsi-Actions, Xsi-Events, Xsi-MMTel, Xsi-VTR 

CVE-2023-20238 also impacts users of the 22.0 branch, but Cisco will not be releasing a security update for that version, so the suggested response for users of the older version is to migrate to a fixed release.  




Has CVE-2023-20238 been actively exploited in the wild? 

The tech giant says it is not aware of any of these vulnerabilities being exploited in malicious attacks. However, despite no reports of active exploitation of CVE-2023-20238 in the wild, system admins should apply the available updates as soon as possible.  


How to fix CVE-2023-20238 

The vulnerability has been resolved in Cisco BroadWorks Application Delivery Platform and BroadWorks Xtended Services Platform version AP.platform.23.0.1075.ap385341. Additionally, Cisco has introduced standalone releases, namely 2023.06_1.333 and 2023.07_1.332 for users of the 23.0 branch and to versions 2023.06_1.333 or 2023.07_1.332 for users of the release independent (RI) edition, which incorporate the essential patches.  


Next steps

Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. Announcing the Attack Path Graph for end-to-end risk prioritization
  2. Can you trust ChatGPT’s package recommendations?
  3. MITRE ATTACK framework – Mapping techniques to CVEs  
  4. Exploit maturity: an introduction  
  5. IBM’s Cost of a Data Breach report 2023 – what we learned

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy